Brussels, 19 December 2012 – The European Commission has today formally recognised the adequacy of personal data protection in New Zealand, opening the way for increased trade with the European Union. The decision by the Commission recognises that New Zealand’s data protection standards are compatible with those of the EU and that they ensure adequate protection of EU citizens' personal data. The aim is to facilitate the free flow of personal data across borders so that businesses handling data can rely on legal certainty in data protection rules, while maintaining a high standard of protection for Europeans’ personal data – a fundamental right for citizens in the EU.

''While we work on reforming EU rules to guarantee personal data protection at home, we also need to make sure our citizens’ data is safe when transferred outside the EU too," said Vice-President Reding, the EU’s Justice Commissioner. "This decision is another step to boosting trade with our international partners while helping to set high standards for personal data protection at a global level.”

Personal data is increasingly transferred across borders and stored on servers in multiple countries within and beyond the EU. In this brave new digital age of social networking and cloud computing where digital data is everywhere and anywhere, we need stable rules for transfers of personal data beyond EU borders.

There are also benefits for the economy and trade. Rules which recognise the adequacy of data protection standards make life easier for EU businesses by providing legal certainty in their international operations. By rubber-stamping the data protection rules of a third country, the EU is giving a substantial vote of confidence to its overall regulatory environment which facilitates personal data transfers and boosts the EU's trade with that country.

New Zealand is a prominent member of the Asia-Pacific Economic Cooperation forum – APEC. Total trade in goods between New Zealand and the EU amounts to €6.7bn a year while trade in services is worth €3.1bn annually.

Background

The EU’s 1995 Data Protection Directive applies to the European Economic Area (EEA), which includes all EU countries as well as non-EU countries Iceland, Liechtenstein and Norway.

Special precautions need to be taken when personal data is transferred to countries outside the EEA that do not provide EU-standard data protection. Without such precautions, the high standards of data protection established by the EU's Data Protection Directive would quickly be undermined, given the ease with which data can be moved around in international networks.

The Directive states that personal data can be transferred to countries outside the EU and the EEA when an adequate level of protection is guaranteed. For example, the basic principles in EU data protection rules must be guaranteed by legal standards and there must be independent supervision of these standards.

The Council and the European Parliament have given the Commission the power to determine, on the basis of Article 25(6) of directive 95/46/EC whether a third country ensures an adequate level of protection through its domestic law or through the international commitments it has entered into.

The effect of such a decision is that personal data can flow from the 27 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary.

In January 2012, the Commission adopted a proposal to modernise the current EU legal framework for data protection (see IP/12/46 and MEMO/12/41). Under the new legislation – currently under discussion in the European Parliament and the Council of the EU – the adequacy procedure in the 1995 Directive would continue and will better specify the criteria and requirements for assessing the level of data protection in a third country or an international organisation.